aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ike_sa_manager.c
Commit message (Collapse)AuthorAgeFilesLines
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-041-2/+2
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* ike-sa-manager: Improve scalability of half-open IKE_SA checkingTobias Brunner2014-04-241-7/+8
| | | | | | | | | | | | | | | This patch is based on one by Christoph Gouault. Currently, to count the total number of half_open IKE_SAs, get_half_open_count sums up the count of each segment in the SA hash table (acquiring a lock for each segment). This procedure does not scale well when the number of segments increases, as the method is called for each new negotiation. Instead, lets maintain a global atomic counter. This optimization allows the use of big values for charon.ikesa_table_size and charon.ikesa_table_segments.
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-121-4/+4
|
* Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required ↵Tobias Brunner2013-10-111-1/+1
| | | | for IKEv2 anyway
* ikev1: Accept reauthentication attempts with a keep unique policy from same hostMartin Willi2013-09-301-6/+17
| | | | | | | When we have a "keep" unique policy in place, we have to be less strict in rejecting Main/Aggressive Modes to enforce it. If the host/port equals to that of an existing ISAKMP SA, we assume it is a reauthentication attempt and accept the new SA (to replace the old).
* ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policyMartin Willi2013-09-301-8/+29
| | | | | | | | | Sending a DELETE for the replaced SA immediately is problematic during reauthentication, as the peer might have associated the Quick Modes to the old SA, and also delete them. With this change the delete for the old ISAKMP SA is usually omitted, as it is gets implicitly deleted by the reauth.
* Merge branch 'ikev1-rekeying'Martin Willi2013-03-011-0/+21
|\ | | | | | | | | Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces the old Main Mode having a uniqueids=replace policy.
| * When detecting a duplicate IKEv1 SA, adopt children, as it might be a rekeyingMartin Willi2013-02-201-0/+21
| |
* | Merge branch 'ikev1-mm-retransmits'Martin Willi2013-03-011-26/+28
|\ \ | | | | | | | | | | | | | | | Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly queues Main Mode messages when processing of the last message is still in progress.
| * | For IKEv1 Main Mode, use message hash to detect early retransmissionsMartin Willi2013-02-251-10/+23
| | | | | | | | | | | | | | | As the message ID is zero in all Main Mode messages, it can't be used to detect if we are already processing a given message.
| * | Use INIT macro to initialize IKE_SA manager entriesMartin Willi2013-02-251-17/+6
| |/
* / Trigger an updown event when destroying an IKE_SA based on INITIAL_CONTACTTobias Brunner2013-02-281-0/+1
|/ | | | | In other cases (i.e. when functions return DESTROY_ME) the event should already be triggered, but not in this forced situation.
* Include source port in init hash for fragmented messagesTobias Brunner2012-12-241-1/+8
|
* Map fragmented initial initial Main or Aggressive Mode messages to the same ↵Tobias Brunner2012-12-241-1/+17
| | | | IKE_SA
* Don't update an IKE_SA-entry's cached message ID when handling fragmentsTobias Brunner2012-12-241-1/+4
|
* Raise alerts when enforcing IKE_SA unique policyMartin Willi2012-12-191-0/+1
|
* Add an ikesa_limit option to limit number of IKE_SAs as responderMartin Willi2012-11-161-19/+39
|
* Moved data structures to new collections subfolderTobias Brunner2012-10-241-1/+1
|
* Raise a bus alert when a received message contains unknown SPIsMartin Willi2012-10-241-0/+4
|
* Add uniqueids=never to ignore INITIAL_CONTACT notifiesTobias Brunner2012-09-101-1/+1
| | | | | | With uniqueids=no the daemon still deletes any existing IKE_SA with the same peer if an INITIAL_CONTACT notify is received. With this new option it also ignores these notifies.
* Remove the unused second IKE_SA entry match function argumentMartin Willi2012-08-201-4/+4
| | | | LLVMs clang complains about this parameter, so remove it.
* Include src address in hash of initial message for Main ModeTobias Brunner2012-08-081-5/+31
| | | | | | | If two initiators use the same SPI and also use the same SA proposal the hash for the initial message would be exactly the same. For IKEv2 and Aggressive Mode that's not a problem as these messages include random data (Ni, KEi payloads).
* Add a return value to hasher_t.allocate_hash()Martin Willi2012-07-161-2/+7
|
* Check rng return value when generating SPIs in ike_sa_manager_tTobias Brunner2012-07-161-35/+67
|
* Use XAuth/EAP remote identity for uniqueness checkMartin Willi2012-06-251-2/+2
|
* Use name from initialization to access settings in libcharon.Tobias Brunner2012-05-031-5/+7
| | | | Also fixes several whitespace errors.
* Fix iteration through half-open IKE_SA tableMartin Willi2012-04-161-0/+1
|
* Properly handle retransmitted initial IKE messages.Tobias Brunner2012-03-201-58/+74
| | | | | | This change allows to properly handle retransmits of initial IKE messages when we've already processed them (i.e. our response is now resent immediately).
* Implemented table of init hashes without linked_list_t.Tobias Brunner2012-03-201-30/+30
|
* Implemented table of connected peers without linked_list_t.Tobias Brunner2012-03-201-63/+75
|
* Implemented table of half open IKE_SAs without linked_list_t.Tobias Brunner2012-03-201-52/+47
|
* Don't use linked_list_t for buckets in main IKE_SA hash table.Tobias Brunner2012-03-201-57/+82
|
* Fixed deadlock if checkin_and_destroy is called during shutdown.Tobias Brunner2012-03-201-0/+10
|
* Do not clone hashes of initial IKE messages when storing them in the hash table.Tobias Brunner2012-03-201-7/+6
|
* Store IKEv2 IKE_SAs by local SPI in the IKE_SA manager hash table.Tobias Brunner2012-03-201-2/+13
| | | | | For IKEv1 the previous behavior of always using the initiator's SPI as key is maintained.
* Added separate hashtable for hashes of initial IKE messages.Tobias Brunner2012-03-201-64/+139
| | | | This does not require us to do a lookup for an SA by SPI first.
* Store the major IKE version on ike_sa_id_t.Tobias Brunner2012-03-201-3/+6
|
* Adopt children after syncing a rekeyed IKEv1 SAMartin Willi2012-03-201-1/+2
|
* Set thread specific SA on bus for each enumerated IKE_SAMartin Willi2012-03-201-1/+11
|
* Clear initiator flag when checking out initial IKEv1 SA from messageMartin Willi2012-03-201-0/+4
|
* Don't invoke updown hook when flushing SAs for IKEv1, tasks will do itMartin Willi2012-03-201-10/+12
|
* Added an IKE_SA manager method to enumerate IKE_SA IDs filtered by identitiesMartin Willi2012-03-201-34/+47
|
* Implemented responder retransmission, currently enabled for quick mode onlyMartin Willi2012-03-201-1/+1
|
* Fixed leak of a hash when checking out by hashMartin Willi2012-03-201-0/+1
|
* Handle initiation of not supported IKE versions properlyMartin Willi2012-03-201-16/+21
|
* Remove executable flag from source code filesMartin Willi2012-03-201-0/+0
|
* Handling of initial contactClavister OpenSource2012-03-201-0/+11
|
* Don't compare initiator flag in IKE_SA manager, pass initiator parameter to ↵Martin Willi2012-03-201-4/+3
| | | | IKE_SA constructor
* Don't clone chunk in message.get_packet_dataMartin Willi2012-03-201-4/+3
|
* Store IKE version of an SA on ike_sa_t.Tobias Brunner2012-03-201-5/+8
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 13:53:30 +0000